KAM pccc URIBL questions

[Alex <my...@gmail.com>]

Hi guys,

I'm using Kevin's KAM_FROM_URIBL_PCCC rules for the multi.pccc.com
URIBL. Why is it designed to be a poison pill? It caught cvent.com,
causing a bunch of mail to FP.

I'm just curious if this URIBL is indeed this trustworthy, if these
KAM rules are still used, and how it is working for you?

header     KAM_FROM_URIBL_PCCC    eval:check_rbl_from_host('pccc',
'multi.pccc.com.', '127.0.0.4')
describe   KAM_FROM_URIBL_PCCC    From address listed in PCCC URIBL
tflags     KAM_FROM_URIBL_PCCC    net
score      KAM_FROM_URIBL_PCCC    5.0
meta          __KAM_URIBL_PCCC  (KAM_BODY_URIBL_PCCC +
KAM_FROM_URIBL_PCCC + KAM_RCVD_URIBL_PCCC >= 3)

Thanks,
Alex

Re: KAM pccc URIBL questions

[Benny Pedersen <me...@junc.eu>]

Alex skrev den 2013-10-08 00:18:

> http://pastebin.com/UDuDcp4F

in local.cf

def_whitelist_auth *@cvent.com

or in user-prefs whitelist_auth *@cvent.com

in case its ham, just not both

https://dmarcian.com/spf-survey/cvent.com
https://dmarcian.com/dmarc-inspector/cvent.com

Re: KAM pccc URIBL questions

[Alex <my...@gmail.com>]

Hi,

>> I've asked the list a few times before about similar companies, such
>> as verticalresponse.com, which are also mass e-marketers, and I doubt
>> very much whether all recipients have signed up for their
>> "newsletters" or "webinars".
>
> My preference is to list quasi-legitimate spammers as spammers or at the
> very least as a "mixed" source.  Companies like verticalresponse.com
> et al. have no economic incentive to curb spamming unless they are
> threatened with a bad reputation.

I've done that to some extent, and have been moderately successful. I
found it competes with some of the whitelists, ironically.

I'm assuming this is a service you offer, or would you be able to
share your list?

Thanks everyone for your help.

Thanks,
Alex

Re: KAM pccc URIBL questions

["David F. Skoll" <df...@roaringpenguin.com>]

On Mon, 7 Oct 2013 19:38:38 -0400
Alex <my...@gmail.com> wrote:

> I've asked the list a few times before about similar companies, such
> as verticalresponse.com, which are also mass e-marketers, and I doubt
> very much whether all recipients have signed up for their
> "newsletters" or "webinars".

My preference is to list quasi-legitimate spammers as spammers or at the
very least as a "mixed" source.  Companies like verticalresponse.com
et al. have no economic incentive to curb spamming unless they are
threatened with a bad reputation.

I realize this may not go over well if you have customers who use the
service or want to receive mail from it, so a light hand is required.
We maintain an (IP-based) RBL and most of these quasi-legit spammers
end up on the "mixed" list, which is as the name implies: These IPs
are shady but not bad enough to block outright, so we add a couple of
points.

Regards,

David.

Re: KAM pccc URIBL questions

["Kevin A. McGrail" <KM...@PCCC.com>]

On 10/7/2013 10:37 PM, Rob McEwen wrote:
> On 10/7/2013 7:42 PM, Raymond Dijkxhoorn wrote:
>> This is harming more then it does good. But its your list so your
>> rules ;) I would not want to use it to filter my mails with it but hey
> Since this is in its early development, it is probably too early to
> judge it too much. But from what I've read in this discussion, it is
> "light years" away from the current major URI/domain blacklists out
> there (SURBL, URIBL, ivmURI, DBL)... BUT... Kevin  is  brilliant so who
> knows what it might eventually become?
Thanks. You're quite kind.  I've helped with some of the other lists but 
what I'm trying to focus on is tools and methods to identify spam and 
spammers.
> ALSO...There is an argument that a more-aggressive-than-normal AND
> low-scoring URI list may be helpful? In that sense, URIBL.com has
> traditionally been considered slightly more aggressive than the other
> lists mentioned above... SLIGHTLY! Maybe something much MORE aggressive,
> intended for very low scoring... would be useful? (this would be
> situations where bayes or checksum content filters add points to the
> spam score combined with such an aggressive URI list putting the message
> "over the top"... but then skipping blocking a legit message with this
> URI because it didn't have the other content points added and thus
> didn't score high enough--at least that is the idea)
>
I think some aggression is needed because as DFS and others put it, they 
need an impetus to change their methods.  For example, we can't just 
allow companies carte-blanche to spam and give commissions to spammers 
but then claim they aren't spammers by just saying "it's our 3rd party 
partners).

The good news is that cvent took notice of the blocking and contacted me 
offlist so I've removed their domains from the RBL while I discuss 
things with them in good faith towards improving their anti-spam procedures.

Regards,
KAM

Re: KAM pccc URIBL questions

[Rob McEwen <ro...@invaluement.com>]

On 10/7/2013 7:42 PM, Raymond Dijkxhoorn wrote:
> This is harming more then it does good. But its your list so your
> rules ;) I would not want to use it to filter my mails with it but hey

Since this is in its early development, it is probably too early to
judge it too much. But from what I've read in this discussion, it is
"light years" away from the current major URI/domain blacklists out
there (SURBL, URIBL, ivmURI, DBL)... BUT... Kevin  is  brilliant so who
knows what it might eventually become?

ALSO...There is an argument that a more-aggressive-than-normal AND
low-scoring URI list may be helpful? In that sense, URIBL.com has
traditionally been considered slightly more aggressive than the other
lists mentioned above... SLIGHTLY! Maybe something much MORE aggressive,
intended for very low scoring... would be useful? (this would be
situations where bayes or checksum content filters add points to the
spam score combined with such an aggressive URI list putting the message
"over the top"... but then skipping blocking a legit message with this
URI because it didn't have the other content points added and thus
didn't score high enough--at least that is the idea)

But I can't help but think that SOME reading this thread haven't even
tried/implemented even all the zero-cost options for the (already
matured) lists I mentioned (where applicable)?

-- 
Rob McEwen
http://dnsbl.invaluement.com/
rob@invaluement.com
+1 (478) 475-9032

Re: KAM pccc URIBL questions

["Kevin A. McGrail" <KM...@PCCC.com>]

On 10/7/2013 7:42 PM, Raymond Dijkxhoorn wrote:
> Apparently other RBL's care more about colleteral damage. I would not 
> list this. You would not list microsoft.com neither if you accidently 
> get a spam that you feel itnt appropriate. This is harming more then 
> it does good. But its your list so your rules ;) I would not want to 
> use it to filter my mails with it but hey ;)
Hi Raymond,

I'm not telling people to use the list to block and I'm admitting I have 
high scores which some might want to seriously dial down.

And I think I will have to consider the collateral damage and document 
it for those interested in the list.

But to answer the theoretical question, if I got multiple spams over a 
course of weeks from employees at Microsoft, I would consider blocking 
them because it can show a culture of spamminess.  Would I block gmail 
or their outlook service for the same reason, no.

But I continually have problems with Google Groups that are abused, 
especially in Arabic and damned if I can get anyone at Google to give a 
damn.  So if I thought blocking google groups might get some attention 
on the matter, I would consider it.  This follows the same reasoning.  
The emails I have are not from 3rd parties or customers of a system but 
from people working at the system itself.

regards,
KAM

Re: KAM pccc URIBL questions

[Raymond Dijkxhoorn <ra...@prolocation.net>]

Hai!

>>> How about just cvent.com? I've uploaded the headers from one FP here:
>>> http://pastebin.com/UDuDcp4F

>> How would another RBL handle a company that I have personally received
>> evidence of spamming even if it causes FPs?

> Apparently none of the other RBLs consider it spam.

Apparently other RBL's care more about colleteral damage. I would not list 
this. You would not list microsoft.com neither if you accidently get a 
spam that you feel itnt appropriate. This is harming more then it does 
good. But its your list so your rules ;) I would not want to use it to 
filter my mails with it but hey ;)

> That's because you don't do business with them, so anything received
> is unsolicited. In my case, corporate communications are actually
> being blocked.
>
> I'm going to keep a closer eye on them, and manually inspect more of
> their mail to figure out what to do next.

That telling it all ...

Bye,
Raymond.

Re: KAM pccc URIBL questions

["David F. Skoll" <df...@roaringpenguin.com>]

On Wed, 09 Oct 2013 19:31:41 +0100
Martin Gregorie <ma...@gregorie.org> wrote:

> My suggestion was meant for the OP rather than generally was made on
> the assumption that cvent was not going to listen to any criticism or
> police its subscribers.

Surely a mailing list provider that does not "police its subscribers"
absolutely deserves to be blocked?

> A low-cost solution would be for their outgoing MTA to add a header to
> tag outgoing messages with identify of the subscriber.

Mailing list providers have no incentive to do this unless/until they
start getting blocked.  It's simple economics.

Regards,

David.

Re: KAM pccc URIBL questions

[Martin Gregorie <ma...@gregorie.org>]

On Wed, 2013-10-09 at 13:18 -0400, Kevin A. McGrail wrote:
> On 10/7/2013 7:53 PM, Martin Gregorie wrote:
> > If, on inspection, there is any reliable way to distinguish spam from 
> > ham in the stream coming from cvent, you could drop the RBL score down 
> > a lot (0.01 ?) and write a meta that blocks just the spam.
> Perhaps but I do think there is some measure of a need for negative 
> consequences for many firms to be reliable and conscientious netizens.  
>
I'm not disagreeing with you: it would be nice if the likes of cvent
would police their subscribers better, ideally by running subscriber
output streams through SA.

My suggestion was meant for the OP rather than generally was made on the
assumption that cvent was not going to listen to any criticism or police
its subscribers.

> I'm not "out" to get cvent but I do have some pretty hard evidence they 
> have a spamming problem.  I'm very interested in what they say about it 
> and I'm giving them the opportunity to explain.
> 
A low-cost solution would be for their outgoing MTA to add a header to
tag outgoing messages with identify of the subscriber. This is
unforgeable since it would be added by the sending smarthost and would
make it easy to block spamming cvent subscribers with a meta-rule while
leaving other mail sources alone. It would also leave the definition of
a 'spammer' to the receiving MTA. This has benefits since some message
content is not universally regarded as spam.

Cheers,
Martin

Re: KAM pccc URIBL questions

["Kevin A. McGrail" <KM...@PCCC.com>]

On 10/7/2013 7:53 PM, Martin Gregorie wrote:
> If, on inspection, there is any reliable way to distinguish spam from 
> ham in the stream coming from cvent, you could drop the RBL score down 
> a lot (0.01 ?) and write a meta that blocks just the spam.
Perhaps but I do think there is some measure of a need for negative 
consequences for many firms to be reliable and conscientious netizens.  
I'm not "out" to get cvent but I do have some pretty hard evidence they 
have a spamming problem.  I'm very interested in what they say about it 
and I'm giving them the opportunity to explain.

regards,
KAM

Re: KAM pccc URIBL questions

[Martin Gregorie <ma...@gregorie.org>]

On Mon, 2013-10-07 at 19:38 -0400, Alex wrote:

> There wasn't really any consensus on the list for this sender either.
> I've left them off my blacklist for now, despite seeing messages
> pertaining to "hair care" and gutter cleaning from their customers.
> They're also not on any public blocklists.
> 
If, on inspection, there is any reliable way to distinguish spam from
ham in the stream coming from cvent, you could drop the RBL score down a
lot (0.01 ?) and write a meta that blocks just the spam.


Martin

Re: KAM pccc URIBL questions

["Kevin A. McGrail" <KM...@PCCC.com>]

On 10/7/2013 7:38 PM, Alex wrote:
> How would another RBL handle a company that I have personally received
> evidence of spamming even if it causes FPs?
> Apparently none of the other RBLs consider it spam.
Well then the RBL I'm envisioning might be different.  But my goal is to 
get framework done and a Proof of Concept and hand it over to the 
project so it could evolve.
>
> I've asked the list a few times before about similar companies, such
> as verticalresponse.com, which are also mass e-marketers, and I doubt
> very much whether all recipients have signed up for their
> "newsletters" or "webinars".
>
> There wasn't really any consensus on the list for this sender either.
> I've left them off my blacklist for now, despite seeing messages
> pertaining to "hair care" and gutter cleaning from their customers.
> They're also not on any public blocklists.
I haven't seen any samples for them but I have some techniques I use 
with things like specific email addresses, etc. that make misuse very 
apparent.

I often see spams that appear to be database compromises because of 
this.  Just looking at a few days sampling, I can spot:

eWeek
Seagate
MotleyFool
Joomla Shack
Dropbox
DynDNS
Online Sports
Red Envelope
WhitePaperWizard
SecurePayNet/Wild West Domains

That's a 5 minute list and there could be explanations beyond database 
compromises.  But I'm sure people like DFS and those who use 
one-off/specific email addresses for vendors can tell you about when 
they see supposedly private information get out with no notification to 
those affected.

And I'm not listing the companies that I've contacted who have 
appropriately gone "Oh Crap!" and handled it professionally.  Some like 
SecurePayNet handled it very unprofessionally in my opinion wasting time 
of people like me just trying to help them realize they have a major 
security risk.  Lead a horse to water...
> How many of those are now on the dbl or zen?
Spot checking URIBL_DBL shows some overlap but it's very minimal when 
the entries are added.  As the days go by, the overlap appears higher.  
I only have __RCVD_IN_ZEN so I don't have logging of subtests so I can't 
easily check overlap

>
>> I agree it has collateral damage.  You can explain to them that the emails
>> can be found marked as spam because the company running the events are
>> spammers is my main response.  And searching more about cvent.com just makes
>> me question their practices and others (such as
>> http://www.pissedconsumer.com/reviews-by-company/cvent.html) have confirmed
>> what I have seen which is harvesting of Whois data and spamming it.
> Yeah, I saw that too. Their response to me would be to figure out a
> way to only let their legitimate stuff through. I could probably also
> make some noise to get a contact there through my customer, but it
> would probably only lead to lip service. I'd never be able to get them
> to switch providers, and as we've seen with verticalresponse, the
> alternatives have issues too.
I am a bit jaded as well but I have a nice email from someone at cvent 
to go deal with so I'll keep my faith in humanity a bit longer.

> I just figured that since it's immediately being dropped, perhaps
> sending them a bounce would help to control the number you receive
> from them, if not just firewall their block outright.
Or just let them know what they have to scrap out of their lists to hide 
the problem...

Yes, it's nice to stop spam but I'm reaching for a higher goal to stop 
spammers.


> That's because you don't do business with them, so anything received
> is unsolicited. In my case, corporate communications are actually
> being blocked.
Conjecture that's untrue.  I blocked them noting the collateral damage 
but again, on our system, we do not block mail, we receive and it's 
tagged as spam allowing a user to manually intervene and get the email.  
We encourage them to contact the company to complain and/or switch to 
more reputable vendors.

Regards,
KAM

Re: KAM pccc URIBL questions

[Alex <my...@gmail.com>]

Hi,

>> How about just cvent.com? I've uploaded the headers from one FP here:
>> http://pastebin.com/UDuDcp4F
>
> How would another RBL handle a company that I have personally received
> evidence of spamming even if it causes FPs?

Apparently none of the other RBLs consider it spam.

I've asked the list a few times before about similar companies, such
as verticalresponse.com, which are also mass e-marketers, and I doubt
very much whether all recipients have signed up for their
"newsletters" or "webinars".

There wasn't really any consensus on the list for this sender either.
I've left them off my blacklist for now, despite seeing messages
pertaining to "hair care" and gutter cleaning from their customers.
They're also not on any public blocklists.

>> Somehow I forgot this was your RBL. How many entries are on it?
>
> Approximately 1700 for the past 30 days.

How many of those are now on the dbl or zen?

> I agree it has collateral damage.  You can explain to them that the emails
> can be found marked as spam because the company running the events are
> spammers is my main response.  And searching more about cvent.com just makes
> me question their practices and others (such as
> http://www.pissedconsumer.com/reviews-by-company/cvent.html) have confirmed
> what I have seen which is harvesting of Whois data and spamming it.

Yeah, I saw that too. Their response to me would be to figure out a
way to only let their legitimate stuff through. I could probably also
make some noise to get a contact there through my customer, but it
would probably only lead to lip service. I'd never be able to get them
to switch providers, and as we've seen with verticalresponse, the
alternatives have issues too.

>> With a poison pill attitude towards them, wouldn't it just be better
>> to reject them outright?
>
> I don't use any RBLs for rejection, only for scoring.

I just figured that since it's immediately being dropped, perhaps
sending them a bounce would help to control the number you receive
from them, if not just firewall their block outright.

> The RBL is built out of a manually-reviewed corpora of complaints that I
> cull together from users.  The scores reflect that it's seen and approved as
> being consistent with a spammer.  And cvent.com isn't a FP because I've
> personally review the corpora entry and it's not only scraped, they also

That's because you don't do business with them, so anything received
is unsolicited. In my case, corporate communications are actually
being blocked.

I'm going to keep a closer eye on them, and manually inspect more of
their mail to figure out what to do next.

Thanks,
Alex

Re: KAM pccc URIBL questions

["Kevin A. McGrail" <KM...@PCCC.com>]

On 10/7/2013 6:18 PM, Alex wrote:
> How about just cvent.com? I've uploaded the headers from one FP here: 
> http://pastebin.com/UDuDcp4F 
How would another RBL handle a company that I have personally received 
evidence of spamming even if it causes FPs?
>> I personally received the spam from them from what appears to be scraped
>> whois data: http://pastebin.com/Q0knc6ei has the headers for the two emails.
>>
>> So if cvent is legit, they are being abused by people sending spam and I
>> consider them candidates for the list but I'm open to suggestions.
> They're a huge event planning company, but also apparently are email marketers.
Agreed.  I see the duality issue.  I just don't know that I plan to give 
them any leniency.
> Somehow I forgot this was your RBL. How many entries are on it?
Approximately 1700 for the past 30 days.
> What's
> your procedure for adding them?
Right now, very manual.  We are testing procedures that bring more 
automation to the research process.
>> I also might recommend you consider lowering the scores I am using. I often
>> write poison pill rules that the project would never allow but they are
>> based on careful analysis of my corpora.  YMMV and I'm open to feedback as I
>> mentioned.  Just don't expect to always like my decisions.
> We had one user complain, and after investigating, realized there are
> hundreds of messages in the quarantine from this sender. They mostly
> appear to be just e-marketing crap, but there are a few where people
> have actually planned events and missed their confirmation emails,
> etc., so I can't just block them.
I agree it has collateral damage.  You can explain to them that the 
emails can be found marked as spam because the company running the 
events are spammers is my main response.  And searching more about 
cvent.com just makes me question their practices and others (such as 
http://www.pissedconsumer.com/reviews-by-company/cvent.html) have 
confirmed what I have seen which is harvesting of Whois data and 
spamming it.
> With a poison pill attitude towards them, wouldn't it just be better
> to reject them outright?
I don't use any RBLs for rejection, only for scoring.
> Anyway, I'm hoping you could explain your RBL further, because I value
> your expertise, and would like to take advantage of this, but will
> probably have to adapt a bit for my environment.
Understood completely and the scores are there for you to override.

The RBL is built out of a manually-reviewed corpora of complaints that I 
cull together from users.  The scores reflect that it's seen and 
approved as being consistent with a spammer.  And cvent.com isn't a FP 
because I've personally review the corpora entry and it's not only 
scraped, they also added technology to try and make the scraping appear 
more personal but that technology introduced errors.  Whether they are 
buying lists or doing this internally, the emails I sampled did not come 
from partners but from people inside the firm.  As such I am only gather 
that they have a piss poor culture of spamming.

Regards,
KAM

Re: KAM pccc URIBL questions

[Alex <my...@gmail.com>]

Hi Kevin,

>> I'm using Kevin's KAM_FROM_URIBL_PCCC rules for the multi.pccc.com
>> URIBL. Why is it designed to be a poison pill? It caught cvent.com,
>> causing a bunch of mail to FP.
>>
>> I'm just curious if this URIBL is indeed this trustworthy, if these
>> KAM rules are still used, and how it is working for you?
>
> I use those rules ;-) And currently that RBL is in testing stages where I am
> personally vetting all the data.  So I believe the trustability is quite
> high.  Please email if you have questions and we do look at them.
>
> cvent-munge.com was added on 9-24 and cventsurveys-munge.com added on 10-1.

How about just cvent.com? I've uploaded the headers from one FP here:

http://pastebin.com/UDuDcp4F

> I personally received the spam from them from what appears to be scraped
> whois data: http://pastebin.com/Q0knc6ei has the headers for the two emails.
>
> So if cvent is legit, they are being abused by people sending spam and I
> consider them candidates for the list but I'm open to suggestions.

They're a huge event planning company, but also apparently are email marketers.

Somehow I forgot this was your RBL. How many entries are on it? What's
your procedure for adding them?

> I also might recommend you consider lowering the scores I am using. I often
> write poison pill rules that the project would never allow but they are
> based on careful analysis of my corpora.  YMMV and I'm open to feedback as I
> mentioned.  Just don't expect to always like my decisions.

We had one user complain, and after investigating, realized there are
hundreds of messages in the quarantine from this sender. They mostly
appear to be just e-marketing crap, but there are a few where people
have actually planned events and missed their confirmation emails,
etc., so I can't just block them.

With a poison pill attitude towards them, wouldn't it just be better
to reject them outright?

Anyway, I'm hoping you could explain your RBL further, because I value
your expertise, and would like to take advantage of this, but will
probably have to adapt a bit for my environment.

Thanks buddy,
Alex

Re: KAM pccc URIBL questions

["Kevin A. McGrail" <KM...@PCCC.com>]

On 10/6/2013 7:09 PM, Alex wrote:
> I'm using Kevin's KAM_FROM_URIBL_PCCC rules for the multi.pccc.com
> URIBL. Why is it designed to be a poison pill? It caught cvent.com,
> causing a bunch of mail to FP.
>
> I'm just curious if this URIBL is indeed this trustworthy, if these
> KAM rules are still used, and how it is working for you?
I use those rules ;-) And currently that RBL is in testing stages where 
I am personally vetting all the data.  So I believe the trustability is 
quite high.  Please email if you have questions and we do look at them.

cvent-munge.com was added on 9-24 and cventsurveys-munge.com added on 10-1.

I personally received the spam from them from what appears to be scraped 
whois data: http://pastebin.com/Q0knc6ei has the headers for the two emails.

So if cvent is legit, they are being abused by people sending spam and I 
consider them candidates for the list but I'm open to suggestions.

I then considered removing the entries but upon checking further, I 
found more spams from people who work at cvents.  And it appears they 
have scraped my association with a law firm by address in whois (5335 
wisconsin avenue) and tied me to Springvalley Law Group. Right address, 
wrong suite, wrong company, still never had permission to spam me. They 
are spammers and should be blocked.  If you are using them, consider 
taking your business elsewhere as they support spammers using their 
system AND they themselves send spam.

I am also positive but only from memory that they spam an NPO I work 
with as well all the time trying to get us to use their services.

I also might recommend you consider lowering the scores I am using. I 
often write poison pill rules that the project would never allow but 
they are based on careful analysis of my corpora.  YMMV and I'm open to 
feedback as I mentioned.  Just don't expect to always like my decisions.

Regards,
KAM